The university information security policy infosec one year on
Download
1 / 21

The University Information Security Policy & InfoSec one year on… - PowerPoint PPT Presentation


  • 119 Views
  • Uploaded on

The University Information Security Policy & InfoSec one year on…. Tom Anstey Weatherall Institute of Molecular Medicine & InfoSec [email protected] http://www.it.ox.ac.uk/infosec/infosecproject/. The need for a Policy!. OxCERT led a Information Security Self-Assessment in 2007-2009.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' The University Information Security Policy & InfoSec one year on…' - jadzia


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
The university information security policy infosec one year on

The University Information Security Policy & InfoSec one year on…

Tom Anstey

Weatherall Institute of Molecular Medicine & InfoSec

[email protected]

http://www.it.ox.ac.uk/infosec/infosecproject/


The need for a policy
The need for a Policy! year on…

OxCERT led a Information Security Self-Assessment in 2007-2009



Cookie legislation may 2012
Cookie legislation year on…May 2012



Creating a university policy 2
Creating a University Policy (2) year on…

+

ICTF staff + Council Secretariat



Governance: Central - year on…vs- Local

  • The University Policy tells you *what* to do - a local policy gives more on *how* you do it in your unit

  • The responsibility is devolved downwards, but if the correct local policies and risk assessments are in place and carried out, the responsibility for risk goes upwards

  • Creation of Information Security Advisory Group (ISAG) chaired by Emma Rampton in Council Secretariat; includes University Security Service, Conference of Colleges, ICTF, Academics & InfoSec


Identify the year on…problems – Risk Assessments


Non it security
Non-IT Security year on…

Includes liaison with:

University Marshal

Bio-Medical services

Legal services

Hospital trusts

Personnel services

Not just an IT issue

Flowchart for data encryption could be used for paper waste destruction protocol.


Whole disk encryption
Whole Disk Encryption year on…

Finding a balance between security and usability.


Lunchtime seminars
Lunchtime seminars year on…

  • Each term

  • 5 speakers

  • 8 sessions



Incident register
Incident register year on…


Is guidance to it staff enough
Is guidance to IT Staff enough? year on…

  • IT Staff don’t own the sensitive data

  • They don’t know what is stored, nor the associated risk

  • What about paper copies? Is it really IT’s problem?


Divisional briefings to administrators
Divisional briefings to administrators year on…

This is where the power really is!

They’re now on board and understand the need for improved practices, and a local policy.

Improved understanding of a unit’s responsibility and liability.


It s in the toolkit
It’s in the Toolkit! year on…

Examples

Explanations

Encryption

… easy to read!

On-going work in progress

Aims to meet ISO2007:2005

http://www.it.ox.ac.uk/infosec/istoolkit/


Centre for the Protection of National Infrastructure year on…

Government cyber-security initiative

Fits in with other ox.ac.uk academic work

e.g. Andrew Martin, Sadie Creese et al.




Summary year on…

  • Provide proper management backing to get a unit policy into place

  • Increase user awareness and provide training to all users

  • Create information asset & risk registers and develop a business continuity plan for disaster recovery. Start on high impact areas.

  • Manage mobile devices, and encrypt laptop hard disks and devices containing sensitive data, or provide secure remote access

  • Purchase and issue encrypted devices that allow managed password recovery to those needing to remove sensitive data

  • Act on your risk assessments. Give a reasonable timescale for implementation; it is a culture change


ad